www.tufin.com
Open in
urlscan Pro
2606:4700:10::ac43:1ae2
Public Scan
Submitted URL: https://go.tufin.com/NzY5LUlDRi0xNDUAAAGUiSvYEmoaMYl_Gkz4Fi4_Fp5S_Zxmxki44jcbYlo275Yu9bvNibiGmC1Lz2MsV1oRTJ6seDM=
Effective URL: https://www.tufin.com/blog/12-best-practices-for-a-corporate-firewall-review?utm_source=marketo&utm_medium=email&utm_c...
Submission: On July 25 via api from US — Scanned from DE
Effective URL: https://www.tufin.com/blog/12-best-practices-for-a-corporate-firewall-review?utm_source=marketo&utm_medium=email&utm_c...
Submission: On July 25 via api from US — Scanned from DE
Form analysis 4 forms found in the DOM
<form id="mktoForm_3918" class="mktoForm mktoHasWidth mktoLayoutLeft" novalidate="novalidate" style="font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); width: 302px;">
<style type="text/css">
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton {
color: #fff;
border: 1px solid #75ae4c;
padding: 0.4em 1em;
font-size: 1em;
background-color: #99c47c;
background-image: -webkit-gradient(linear, left top, left bottom, from(#99c47c), to(#75ae4c));
background-image: -webkit-linear-gradient(top, #99c47c, #75ae4c);
background-image: -moz-linear-gradient(top, #99c47c, #75ae4c);
background-image: linear-gradient(to bottom, #99c47c, #75ae4c);
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:hover {
border: 1px solid #447f19;
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:focus {
outline: none;
border: 1px solid #447f19;
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:active {
background-color: #75ae4c;
background-image: -webkit-gradient(linear, left top, left bottom, from(#75ae4c), to(#99c47c));
background-image: -webkit-linear-gradient(top, #75ae4c, #99c47c);
background-image: -moz-linear-gradient(top, #75ae4c, #99c47c);
background-image: linear-gradient(to bottom, #75ae4c, #99c47c);
}
</style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 10px;">
<div class="mktoOffset" style="width: 10px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="FirstName" id="LblFirstName" class="mktoLabel mktoHasWidth" style="width: 100px;">
<div class="mktoAsterix">*</div>First Name:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 10px;"></div><input id="FirstName" name="FirstName" maxlength="255" aria-labelledby="LblFirstName InstructFirstName" type="text" class="mktoField mktoTextField mktoHasWidth mktoRequired"
aria-required="true" style="width: 150px;" placeholder="first name"><span id="InstructFirstName" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 10px;">
<div class="mktoOffset" style="width: 10px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 100px;">
<div class="mktoAsterix">*</div>Work Email Address:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 10px;"></div><input id="Email" name="Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email" class="mktoField mktoEmailField mktoHasWidth mktoRequired"
aria-required="true" style="width: 150px;" placeholder="email"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoFormCol" style="margin-bottom: 10px;">
<div class="mktoOffset mktoHasWidth" style="width: 10px;"></div>
<div class="mktoFieldWrap">
<div class="mktoHtmlText mktoHasWidth" style="width: 260px;">
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js"></script>
<script>
// <![CDATA[
$(document).ready(function() {
if (!$(".form-blog .thanks_messages").length) {
// Update Your Thanks Message
var thanksMessage = "You're in! Get ready for weekly Tufin updates!";
// Our Code
var $thanksDiv = $("<div class='thanks_messages'>" + thanksMessage + "</div>");
$(".form-blog").append($thanksDiv);
}
MktoForms2.whenReady(function(form) {
var bannerForm = MktoForms2.getForm(3918);
bannerForm.onSuccess(function(values, followUpUrl) {
bannerForm.getFormElem().hide();
document.querySelector('.thanks_messages').style.display = 'block';
return false;
});
});
});
// ]]>
</script>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoSimple" style="margin-left: 120px;"><button type="submit" class="mktoButton">Subscribe Now</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
value="3918"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="769-ICF-145">
</form><form id="mktoForm_1288" class="mktoForm mktoHasWidth mktoLayoutLeft" novalidate="novalidate" style="font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); width: 351px;">
<style type="text/css">
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton {
color: #fff;
border: 1px solid #75ae4c;
padding: 0.4em 1em;
font-size: 1em;
background-color: #99c47c;
background-image: -webkit-gradient(linear, left top, left bottom, from(#99c47c), to(#75ae4c));
background-image: -webkit-linear-gradient(top, #99c47c, #75ae4c);
background-image: -moz-linear-gradient(top, #99c47c, #75ae4c);
background-image: linear-gradient(to bottom, #99c47c, #75ae4c);
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:hover {
border: 1px solid #447f19;
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:focus {
outline: none;
border: 1px solid #447f19;
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:active {
background-color: #75ae4c;
background-image: -webkit-gradient(linear, left top, left bottom, from(#75ae4c), to(#99c47c));
background-image: -webkit-linear-gradient(top, #75ae4c, #99c47c);
background-image: -moz-linear-gradient(top, #75ae4c, #99c47c);
background-image: linear-gradient(to bottom, #75ae4c, #99c47c);
}
</style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 10px;">
<div class="mktoOffset" style="width: 10px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 100px;">
<div class="mktoAsterix">*</div>
</label>
<div class="mktoGutter mktoHasWidth" style="width: 10px;"></div><input id="Email" name="Email" placeholder="Work Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utm_campaign__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="em_2024_07_customer_newsletter" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utm_medium__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="email" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utm_source__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="marketo" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoFormCol" style="margin-bottom: 10px;">
<div class="mktoOffset mktoHasWidth" style="width: 10px;"></div>
<div class="mktoFieldWrap">
<div class="mktoHtmlText mktoHasWidth" style="width: 350px;">By submitting, I acknowledge Tufin’s <strong><a href="https://www.tufin.com/privacy-policy" rel="noopener" target="_blank">Privacy Policy</a></strong>.</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 10px;">
<div class="mktoOffset" style="width: 10px;"></div>
<div class="mktoFieldWrap"><label for="Person_Has_Moved__c" id="LblPerson_Has_Moved__c" class="mktoLabel mktoHasWidth" style="width: 100px;">
<div class="mktoAsterix">*</div>Person Has Moved:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 10px;"></div><select id="Person_Has_Moved__c" name="Person_Has_Moved__c" aria-labelledby="LblPerson_Has_Moved__c InstructPerson_Has_Moved__c" class="mktoField mktoHasWidth"
style="width: 150px;">
<option value="">Select...</option>
<option value="Yes">Yes</option>
<option value="No">No</option>
<option value="Uncertain">Uncertain</option>
</select><span id="InstructPerson_Has_Moved__c" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LT_Lead_Source__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="Inbound Web" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoSimple" style="margin-left: 120px;"><button type="submit" class="mktoButton">Subscribe</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
value="1288"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="769-ICF-145">
</form><form class="mktoForm mktoHasWidth mktoLayoutLeft" novalidate="novalidate" style="font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;">
</form><form class="mktoForm mktoHasWidth mktoLayoutLeft" novalidate="novalidate" style="font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;">
</form>Text Content
* Contact
* Support
* Careers
* Search
* Login
* * English
* Why Tufin
* Products
* * PRODUCT TIERS
* SecureTrack+
* SecureChange+
* Enterprise
* AKIPS by Tufin
* * PLATFORM
* Technology Partners
* Extensions
* Pricing
* Solutions
* * FIREWALL MANAGEMENT
* Cleanup and Optimization
* Network Segmentation
* Firewall Change Automation
* Firewall Migration
* Network Topology
* * COMPLIANCE
* Continuous Compliance
* Audit Readiness
* Regulatory Compliance
* Risk Assessment
* Vulnerability Management
* * NETWORK AUTOMATION
* Automate and Provision Network Changes
* Maximize Business Agility
* * CLOUD SECURITY
* Hybrid Cloud Security
* Multi-Cloud Security
* Cloud and DevOps Security Automation
* Partners
* Channel Partners
* Find a Partner
* MSSP Program
* Partner Portal
* Technology Partners
* Resources
* Blog
* Case Studies
* Customers
* Guides
* Events
* Solution Briefs
* Videos
* Webinars
* White Papers
* Training
* Tufinnovate 2024
* Contact
* Support
* Careers
* Search
* Login
List additional actions
* English
* 日本語
* Français
* Español
* Deutsch
* 简体中文
* 繁體中文
Get A Demo
Get A Demo
12 BEST PRACTICES FOR A CORPORATE FIREWALL REVIEW.
1. Home
2. Blog
3. Firewall Best Practices
4. 12 Best Practices for a Corporate Firewall Review
Last updated July 17th, 2024 by Erez Tadmor
* Firewall Best Practices
* Network Segmentation and Topology
A firewall review evaluates and assesses your company’s network security
capabilities as aligned with your organization’s business needs and risk
tolerance to mitigate cyberattack risk.
Modern digitally transformed businesses often incorporate multiple firewall
vendors with different naming conventions, making maintaining a consistent
cybersecurity posture challenging.
With new data protection requirements every year, you should incorporate
firewall reviews as part of your network security monitoring initiatives.
IDENTIFY AUDIT PLAN OBJECTIVES AND SCOPE
Every audit begins by identifying the purpose and objectives. For example, you
may engage in audits for the following reasons:
* Document compliance: Compliance with security standards and industry
standards, like PCI DSS, HIPAA, NIST, ECB, GDPR, SOX, or NERC CIP
* Reduce attack surface: Decommission unused, shadowed, or outdated rules
* Optimize performance: improve network speed by simplifying rules or deleting
unnecessary rules
UNDERSTAND NETWORK TOPOLOGY
A key information security control is creating demilitarized zones (DMZ), or
security zones, that reduce the likelihood that cyber attacks will impact
multiple subnets.
However, these DMZs make establishing a baseline for firewall reviews more
challenging. Understanding the network’s topology involves reviewing firewall:
* Locations
* Connectivity
* Roles
* Manufacturers
GATHER AUDIT DOCUMENTATION
To streamline firewall reviews, the following information should be available
for cybersecurity management stakeholders:
* Security policies: Internal controls detailing best practices
* Firewall logs: Technical documentation showing protocols, IP addresses, and
subnets
* Risk assessments: Risk identification, review, and remediation activities
* Rulesets: Firewall configurations
* Audit reports: Documents identifying previous audit outcomes or findings
EVALUATE FIREWALL RULE PLACEMENT AND ORDER
Firewall rules should be arranged logically, from highest priority at the top to
lowest at the bottom. Best practices for firewall rule order are typically
rulesets that:
* Allow specific traffic
* Block by default
Rulesets that allow traffic should be precise, often including:
* Source IP address
* Destination IP address
* Destination port
* Protocol, like TCP, ICMP, or UDP
ASSESS FIREWALL RULE UNUSED OBJECTS
Unused objects are networks, subnets, services, applications, user groups, or
connections not specified in the ruleset or as part of a group. Unused objects
create security vulnerabilities that malicious actors can exploit.
ANALYZE ACCESS CONTROL LISTS (ACLS)
ACLs control the traffic allowed to enter the internal network from the public
internet. Overly permissive rules can create security risks.
Best practices for firewall rules’ validation include:
* Limiting source and destination traffic as much as possible
* Explicitly defining the destination IP address or groups rather than using
“any”
* Not allowing traffic from “any” source to “any” destination
* Not allowing all traffic to a destination or group of destination
* Limiting the number of open globally only ports, those defining the source as
“any”
REVIEW ROLES AND ACCESS PRIVILEGES
To maintain least privilege access, you should periodically review network
access controls for users, especially privileged users like administrators. When
engaging in a firewall audit, some best practices for user access certification
include reviewing whether:
* User roles and permissions remain consistent across firewall vendors
* Policies remain consistent when user and network asset IP address changes
* User access was terminated appropriately
* All user access to critical network resources is justified
* Only current admins have access to the firewall console
REVIEW CHANGE MANAGEMENT PROCEDURES
You should have structured procedures for managing, approving, and tracking
firewall configuration changes. Reviewing the change management procedures
should ensure you document, at minimum, the following:
* Risks associated with policy changes
* Effect policy changes have on the network
* Remediation and mitigation strategy
* Reasons and objectives for changing rulesets
* Audit trail detailing the who, why, and when for any modifications
HARDEN FIREWALL HARDWARE AND OPERATING SYSTEM
Malicious actors can use security vulnerabilities in the firewall’s firmware or
operating system to gain unauthorized access to networks and systems. Part of
the firewall review should include:
* Scanning regularly for vulnerabilities
* Prioritizing remediation for high-risk vulnerabilities
* Ensuring that all updates are applied in compliance with your organizational
vulnerability management policies
REVIEW FIREWALL LOGS
Firewall logs document activity occurring within the environment to help monitor
network security and vulnerabilities. Since firewall logs can be overwhelming,
organizations should ensure they collect the right amount of data to achieve
objectives. Some events that the firewall logs should track include:
* Permitted, blocked, or dropped connections
* Activity from intrusion detection systems (IDS)/intrusion prevention systems
(IPS)
* User activity
* Protocol usage
* Cut-through-proxy activity
After determining that logging is appropriately configured, you can review the
logs to identify trends about firewall security and compliance, including:
* Anomalous traffic patterns indicating a potential security incident
* Inbound and outbound traffic analysis for rule effectiveness and efficiency
* Updates to blocklists and allowlists that can improve network security
REVIEW RISK ASSESSMENT DOCUMENTATION
Before and after making the necessary security policy and firewall ruleset
changes, you should document their risk review. Before implementing changes in
the change management process, look for risk assessment best practices such as:
* Impact to security policy conformance
* Source and destination vulnerabilities when changing access controls
* Business continuity risks
* “What-if” path analysis for path options that might impact risk
* Impact to attack surface and exposure
* Consistency with change management processes
REMEDIATE ISSUES AND TEST NEW FIREWALL RULES
If the audit process identifies issues, the final step is to remediate them and
test the new firewall rule configurations. Testing the changes prior to
implementing them across the network reduces operational impact that can cause
business disruption.
Automated Documentation with Tufin
Tufin provides a unified platform that streamlines firewall management and
auditing with vendor-agnostic Unified Security Policies (USPs) that ensure
consistency across hybrid and multi-cloud network architectures.
With comprehensive visibility from Tufin’s network topology maps and risk
assessment workflow automations, you can achieve continuous compliance
monitoring with detailed reports to reduce preparation time for improved audit
readiness.
DON'T MISS OUT ON MORE TUFIN BLOGS
Subscribe to our weekly blog digest
*
First Name:
*
Work Email Address:
Subscribe Now
You're in! Get ready for weekly Tufin updates!
READY TO LEARN MORE
Get a Demo
In this post:
* Identify Audit Plan Objectives and Scope
* Understand Network Topology
* Gather Audit Documentation
* Evaluate Firewall Rule Placement and Order
* Assess Firewall Rule Unused Objects
* Analyze Access Control Lists (ACLs)
* Review Roles and Access Privileges
* Review Change Management Procedures
* Harden Firewall Hardware and Operating System
* Review Firewall Logs
* Review Risk Assessment Documentation
* Remediate Issues and Test New Firewall Rules
RELATED POSTS
Tufinnovate 2024 Case Studies Showcase How to Get the Most Out of Tufin
Firewall Monitoring Best Practices: One Part of Robust Network Security
AWS vs Palo Alto: Either Way Tufin Integrates
Optimizing and Simplifying the Firewall Request Process with Tufin
TOP POSTS
How to Perform a Firewall Audit – Policy Rules Review Checklist
Understanding AWS Route Table: A Practical Guide
What is a Firewall Ruleset? How can it help me?
Inbound vs Outbound Firewall Rules: Simplifying Network Security
* English
GET THE LATEST TUFIN UPDATES
*
By submitting, I acknowledge Tufin’s Privacy Policy.
*
Person Has Moved:
Select...YesNoUncertain
Subscribe
CONNECT WITH US
* Facebook
* twitter
* LinkedIn
* Youtube
* Products
* SecureTrack+
* SecureChange+
* Enterprise
* Pricing
* Extensions
* Integrations & Platforms
* Scalability
* Solutions
* Cloud Security
* Firewall Management
* Compliance
* Network Automation
* Services
* Professional Services
* Support
* Training & Certification
* Customer Portal Login
* Developer Resources
* Developer Community Login
* Resources
* Blog
* Case Studies
* Guides
* Knowledge Center
* Solution Briefs
* Videos
* Webinars
* White Papers
* Sitemap
* Partners
* Become a Partner
* Find a Partner
* Partner Portal Login
* Company
* Contact
* About Us
* Customers
* Careers
* Leadership
* Board of Directors
* Media Center
* Events
* © Tufin 2024 All rights reserved.
* Term & Conditions
* ABC Handbook
* Privacy Center
* Vendor Code of Conduct
* Export policy
Close
Close
PRIVACY PREFERENCE CENTER
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
Cookie Policy
Allow All
MANAGE CONSENT PREFERENCES
STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to block
or alert you about these cookies, but some parts of the site will not then work.
These cookies do not store any personally identifiable information.
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then some
or all of these services may not function properly.
PERFORMANCE COOKIES
Always Active
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
BACK BUTTON BACK
Vendor Search Search Icon
Filter Icon
Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
Reject All Confirm My Choices
By clicking “Accept All Cookies”, you agree to the storing of cookies on your
device to enhance site navigation, analyze site usage, and assist in our
marketing efforts. Cookie Policy
Reject All Cookies Accept All Cookies
Cookies Settings